Malicious hacker ip address blacklist is not checkable nor valid
Is the Outgoing Connections Manager a useful firewall?
Many years ago, if I remember correctly it was around 2013 or 2014, I was trying to use the Outgoing Connections Manager in Hepsia control panel to only allow emails to certain IP addresses to be sent out. cPanel has similar features.
By doing this, mail to other IP addresses were to be blocked. This was to prevent hackers from installing bad scripts that publishes thousands of emails per day from my websites. If these email hackers succeeded in spamming the world through my website then my email address would be black listed and I would not be able to send emails to friends and clients.
In order to do this I needed to know all the IP addresses used by SMTP servers for such activity and needed provide a list of all these SMTP servers IP addresses in the Outgoing Connections Manager.
After a lot of searching and analyses I realized I would never know all the IP addresses used by Google or Yahoo or other SMTP servers. And I could not specify certain IP addresses as when the SMTP server IP address changed my own outgoing mail would be blocked. This meant I had failed in my quest to block emails going out to irrelevant SMTP servers. It also meant that the function of the Outgoing Connection Manager was useless. In the end I deactivated my Outgoing Connections Manager.
I did report this issue to my hosting services tech support staff and they too had no solution to this problem. In the final analysis I informed them to change the system so that instead of making a list if IP address that were to be allowed by the Outgoing Connection Manger I should be allowed to just specify the name of the SMTP server. For example 'Google' or 'Yahoo' or 'Hotmail' or the name of any valid SMTP server - as if there was a DNS or a reverse DNS for SMTP servers. A list of IP addresses could be held by the server or in a database or my hosting server could contact, say Google, to confirm whether it is their IP address before the email is sent out. To date I have not seen this or anything similar being implemented. Google, Microsoft, Yahoo, Apache and the like, please come out with a solution.
Defending my website against hackers
I have been defending my websites form hackers since 2013. In 2011, my first WordPress website, http://bachutha.com, which was on a shared hosting plan, was hacked. The server tech support team could not put the site back together again nor did they know how to clean up the hacker codes embedded into my site. In the end they deleted all the contents of the server and then restored a backup that I uploaded to them. I was lucky that I had saved backups on my PC instead of depending on the server backups.
By 2013 the hacking attacks on my website became a daily affair. My site would hang, show corrupt pages or just not appear to any visitor. I asked many people for help as most WordPress security plugins were not effective against hacking activity. Worst still I did not know who was hacking my site. It was a very frustrating time as I could not identify hackers and did not know how to block the hackers. I found out later that those that had websites and knew PHP did not know what to do to protect their websites from hackers. After that I moved my website to another web hosting provider.
The hackers were having a field day attacking us. Many of us were on tight budgets so we could not hire experts to help us out. In the end by 2013 I decided to learn PHP and try to develop code to block hackers.
Today in 2018, 5 years later I have been able to defend my websites from hackers with my Bad Bot Exterminator program. As a result I found out that most hackers came from USA, Canada, France, Germany, Netherlands, Moldova, Ukraine, Russia, Turkey and the most dangerous were the Chinese. Even the Muslim terrorist had a cyber warfare arm focused on damaging websites that they did not like and I had been on their receiving end.
Do not ever think it is just individuals who hack your sites? I have found hackers originating from large well known American corporations too. I think they tried to hack my site to see how well I was able to defend it from hackers. Their DOS attacks have failed miserably.
I found out that the Eastern European and Russian hackers find out about your site through Yandex search engine. The Chinese hackers and the Chinese military find out about your site through Baidu and other crawlers which are registered as American and Canadian owned. This means that if you do not want hackers form Eastern Europe, Russian and China to know about your website block Yandex and Baidu from visiting your website.
I found out that hacker crawlers ignore what is written in robots.txt. In fact they use the information in robots.txt to know which directories are important to you, in order to search for precious files that can be damaged and corrupted.
In the end I resorted to blocking certain search engines by placing instructions in my .htaccess file. For the novice web publisher this can be done by the example shown on stackoverflow.
ip address lookup
Over the years I found that the single most important piece of information that can be used to block hackers is their IP address. With their IP address you can find out who owns the ip address and determine which country and town they come from, which corporation is issuing these hacking crawlers, which web hosting provider is providing them server & hosting facilities and how often they are visiting your site.
Unfortunately, as of March 14th 2018, all that changed. Many large corporations have decided not to provide the IP addresses of the crawlers. It has now become even more difficult to block hackers as they are taking advantage of the changes in information provided by the visitor.
The IP address of visitors to your site is now meaningless
For those who are technical some examples of the information provided is shown below.
A Sample of IP addresses
A sample of IP addresses shown below was what we could use previously.
| Date | IP Address |
1 | 2017/12/20 Wed 07:39:27 | 209.90.232.167 |
2 | 2017/12/20 Wed 10:12:05 | 198.204.244.163 |
3 | 2017/12/20 Wed 13:54:13 | 120.76.121.20 |
4 | 2017/12/20 Wed 20:42:32 | 209.90.232.167 |
5 | 2017/12/21 Thu 16:42:31 | 140.143.93.167 |
6 | 2017/12/22 Fri 02:31:55 | 43.252.228.133 |
7 | 2017/12/22 Fri 08:56:46 | 114.215.164.201 |
8 | 2017/12/22 Fri 16:04:14 | 115.29.32.55 |
9 | 2017/12/22 Fri 17:31:24 | 59.188.250.179 |
10 | 2017/12/23 Sat 00:32:01 | 116.213.193.229 |
11 | 2017/12/23 Sat 08:11:02 | 213.239.215.66 |
12 | 2018/04/29 Sun 09:40:12 | 66.249.79.91 |
13 | 2018/04/29 Sun 12:56:08 | 66.249.79.91 |
14 | 2018/02/16 Fri 02:09:46 | 68.180.228.184 |
15 | 2018/02/16 Fri 10:21:10 | 68.180.228.51 |
With the latest changes, IP addresses of visitors are not revealed and only 'IP NAMES' are provided as shown below:-
IP Addresses have been changed to IP Names
Item | Date | IP Address (IP Name) |
1 | 2018/03/16 Fri 09:12:55 | legitimate.tor-exit.185.87.185.45.email.torbk-at-xs4all.nl |
2 | 2018/03/30 Fri 13:46:57 | tor-exit.bbserv.nl |
3 | 2018/04/02 Mon 02:50:43 | tor-exit.hartvoorinternetvrijheid.nl |
4 | 2018/04/02 Mon 14:23:39 | legitimate.tor-exit.185.87.185.45.email.torbk-at-xs4all.nl |
5 | 2018/04/05 Thu 05:33:51 | v-34539-unlim.vpn.mgn.ru |
6 | 2018/04/25 Wed 06:29:01 | customer.worldstream.nl |
7 | 2018/03/14 Wed 12:21:56 | jtorexit8013.onthewifi.com |
8 | 2018/03/14 Wed 13:03:37 | 84-201-133-60.spider.yandex.com |
9 | 2018/03/14 Wed 14:19:33 | 135.137.212.118.adsl-pool.jx.chinaunicom.com |
10 | 2018/03/16 Fri 01:25:07 | unknown |
11 | 2018/03/14 Wed 12:11:37 | 199-47-87-140.ip87.iparadigms.net |
12 | 2018/03/14 Wed 12:12:09 | baiduspider-220-181-108-157.crawl.baidu.com |
13 | 2018/03/14 Wed 12:20:13 | msnbot-207-46-13-174.search.msn.com |
14 | 2018/03/31 Sat 17:42:46 | broadband-188-32-136-57.moscow.rt.ru |
15 | 2018/04/01 Sun 00:30:19 | sogouspider-106-38-241-167.crawl.sogou.com |
16 | 2018/04/01 Sun 01:17:26 | mm-249-149-85-93.dynamic.pppoe.mgts.by |
17 | 2018/04/01 Sun 04:50:42 | fulltextrobot-77-75-77-62.seznam.cz |
18 | 2018/04/30 Mon 00:53:18 | 62-210-251-225.rev.poneytelecom.eu |
19 | 2018/04/30 Mon 04:24:31 | 103-218-26-218.dhaka.dozeinternet.net |
20 | 2018/04/30 Mon 04:38:35 | no-mans-land.m247.com |
21 | 2018/04/30 Mon 10:00:09 | tc-cutuk-net-17-111.team.ba |
22 | 2018/04/30 Mon 11:27:27 | dynamicip-94-181-198-108.pppoe.kirov.ertelecom.ru |
23 | 2018/04/30 Mon 12:29:00 | 177-114-121-65.user.vivozap.com.br |
24 | 2018/03/14 Wed 19:11:28 | crawl-66-249-69-102.googlebot.com |
25 | 2018/05/01 Tue 02:16:21 | msnbot-157-55-39-79.search.msn.com |
26 | 2018/05/01 Tue 06:05:06 | msnbot-207-46-13-12.search.msn.com |
27 | 2018/05/01 Tue 06:59:43 | msnbot-40-77-167-105.search.msn.com |
You will observe that many bots and hackers are using the new system to hide their IP addresses. Some have used terms like 'unknown' or placed other numbers to mislead their real identity. The list above is just a small sample. Over the last 5 years I have discovered many abuses by hackers and badbots.
What do you do if a hacker claims his crawler is a genuine Google crawler? Like shown below:-
IP Address (IP Name) | : | crawl-37-249-69-102.googlebot.com |
HTTP User Agent | : | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) |
This is a fictitious example of an IP address that is very similar to Google's bot IP address.
Hacker bots pretending to be Google bot
I have found alot of misinformation in the data provided by hackers. It is almost garbage data with no relevance to the real information. For example, between February and March 2018, I found 5 or 6 crawlers pretending to be Google. They were imposters. Please see the table below.
Date | IP Address | HTTP User Agent | Country | City |
2018/02/08 Thu 14:12:35 | 39.73.142.17 | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | China (CN) | Jinan |
| | | | |
2018/01/25 Thu 13:53:41 | 187.191.101.63 | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | Brazil (BR) | n.d. |
| | | | |
2018/02/04 Sun 06:26:39 | 89.19.29.16 | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | Turkey (TR) | n.d |
| | | | |
2018/02/08 Thu 14:12:35 | 39.73.142.17 | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | China (CN) | Jinan |
| | | | |
2018/02/13 Tue 15:07:18 | 37.252.14.101 | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | Netherlands (NL) | n.d |
| | | | |
2018/03/16 Fri 05:19:29 | 72.9.226.130 | Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) | United States (US) | Spring |
Without the actual IP address or replacing the IP address with an IP name, makes it very much more difficult to track and defend against hackers. How are we going to report ip address of hackers? How are we going to trace a hacker ip address and block them in future? Worst still it does not help in identifying IP addresses that are allowed or blocked by the Outgoing Connection Manager.
Recommendation to PHP developers
My recommendation to PHP developers is to block any visitor that does not reveal his IPv4 or IPv6 address as it is the safest technique to block hackers.
Recommendation to Google, Microsoft, Apache, ...
IP address should only be IPv4 or IPv6 and nothing else. It should be hardwired into the server global variable so that it cannot be modified to an IP Name or a fake ip address. If the internet users need an IP Name they should place the IP Name in a new global variable such as $_SERVER['IP NAME'] instead of using global variable such as $_SERVER['REMOTE_ADDR'].
It is just terrible that they have removed IP addresses of visitors. This means that hackers will have a great time attacking web sites, anonymity and immunity against any protective hacker defense system and the law.
Update to this article Ip Names and IP addresses
I found out later that it was my hosting provider, ... & ..., that were substituting the IP address of my visitors with their domain names. Why on earth would anyone want to do that? My only guess is that there are internal staff that were trying to hack my site and did not want to be identified as the culprits. This is because my files were encrypted so that it is impossible for them to read my files from their console panels. My advice to you is that if you notice this occuring at your site please leave your hosting service provider and move to someone else or else their staff will pirate your work.
Is China pretending that it is Google?
I have been monitoring visitors to my website and noticed one visitor with the IP address 64.233.173.156. I checked this IP address and the information given by https://www.proxydocker.com/en/proxy/ is
IP | 64.233.173.156 |
Hostname | google-proxy-64-233-173-218.google.com |
Country | Pacific Region (AP) |
Provider | Google LLC |
City | n.d |
ISP | AS15169 |
Region | n.d |
Postal Code | |
Continent | Oceania |
Latitude/Longitude | 35" N ,105" W |
Which is shown on the map as located in China. The remote host is identified as : google-proxy-64-233-173-156.google.com
The information I was looking for, which it appears google cannot provide, is "Is the crawler at ip address 64.233.173.156 a genuine google crawler or a fake crawler pretending that its ip address is a google ip address?" The User Agent does not mention "http://www.google.com/bot.html" as shown below:-
Mozilla/5.0 (Linux; Android 7.1.1; CPH1801 Build/NMF26F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mobile Safari/537.36
and it looks like the visitor was using a Android smartphone.
Is it true that the ip address, the user agent, the remote host can be faked?
I would like to know if this is a genuine Google crawler or is this a Chinese crawler pretending to be a Google crawler?
The worrisome thing about this is that is this how China is now hacking American contractors and other American sites by pretending they are Google?
- Dr.Peter Achutha, 2nd May 2018, updated 11 June 2018
Please do show me your appreciation of this article by Buying me a coffee.
And do get the "I Won" t-shirt
|